Here is the updated KB article with the false positive section replaced by the compensating controls and back-ported patches workflow.
Overview of Patching Cadence Issue Types
This Knowledge Base article refers to the following Patching Cadence Issue Types, not the broader Patching Cadence Score Factor:
- Critical/High/Medium/Low-Severity CVSS v3.0 Vulnerability Patching Cadence
- High/Medium/Low Severity CVEs Patching Cadence
What Are Patching Cadence Findings?
Patching Cadence Findings are vulnerabilities associated with CVEs (Common Vulnerabilities and Exposures) that appear in Scorecards when they are not patched within specific timeframes after being published in the NIST National Vulnerability Database (NVD) (NIST NVD).
Why Are Patching Cadence Findings Important?
Patching Cadence Findings reflect an organization’s response to patching vulnerabilities in a timely manner. If vulnerabilities are not patched quickly, it signals poor security posture. Delaying patches increases the risk of being targeted by attackers, which negatively impacts the organization’s Security Score.
When Are Patching Cadence Findings Not Added to the Scorecard?
Patching Cadence Findings will not be added to the Scorecard if the corresponding vulnerability is patched within the timeframes below:
| Severity | Timeframe (Days) |
| Critical-Severity | 30 days |
| High-Severity | 45 days |
| Medium-Severity | 90 days |
| Low-Severity | 120 days |
Note: These timeframes start from the date the CVE is first published in the NIST NVD.
When Are Patching Cadence Findings Added to the Scorecard?
If the vulnerability is not patched within the specified timeframe, the corresponding Severity CVE Patching Cadence findings will be added to the Scorecard.
How Can You Remove Patching Cadence Findings from the Scorecard?
Patching Cadence Findings are intended to reflect an organization’s past behavior regarding vulnerability remediation. While these findings typically decay over time, you can submit a resolution request to remove them under specific circumstances.
Examples include:
- You have remediated the vulnerability or security problem. For example, you applied a patch to a vulnerable version of a product.
- You have a compensating control in place. For example, you backported the operating system patch to an affected asset.
- You believe the finding is inaccurate.
Note: Provide as much detail and as many attachments as possible to help expedite the Support team’s review
Submitting findings for backported patches
If you have applied a backported patch to address a vulnerability, do not select Report as Fixed. When you report a finding as fixed, SecurityScorecard performs a new scan of the affected asset. Because backported patches do not change the version information your system reports externally, our scanner will detect the same conditions as before and reject the request.
Instead, follow these steps:
- Select Other resolutions, then select I have compensating controls.
- In your explanation, include the word backported or backported patch and describe the specific patch you applied.
Example: "We have applied a backported patch from our OS vendor that addresses CVE-XXXX-XXXX. The version string reported externally has not changed, but the vulnerability has been remediated."
What happens next: approvals, denials, and projected scores
After you submit a resolution request, our Support team reviews it and any evidence you provided. For information on our response times, see our Trust page.
If a finding is not manually resolved via a submission, it will remain on the scorecard until the decay period has been met with no further observations. Once the vulnerability is addressed, we will stop monitoring it, and the decay period begins from the date of the last observation of the open vulnerability.
Formula for Decay of Patching Cadence findings:
Decay Date of Finding = Date of Last Observation of the vulnerability + Decay Period
Decay Periods for Patching Cadence Findings
Once a Patching Cadence Finding is added to the Scorecard, the following decay periods apply based on the severity of the vulnerability:
| Severity | Decay Period (Days) |
| Critical-Severity | 150 Days |
| High-Severity | 120 Days |
| Medium-Severity | 90 Days |
| Low-Severity | 60 Days |
Difference Between Service Vulnerability and Patching Cadence Findings
| Aspect | Service Vulnerability in Last Observation | Patching Cadence Findings |
| Remediation | Can be remediated as soon as it is addressed. | Must decay over time based on the severity. |
| Scorecard Addition | Added to the Scorecard immediately once observed. | Only added after the specified timeframes since first publication. |